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(54) Abstract Title 

Secure data transmission links 

(57) This invention generally relates to secure communications links for data transmission and more 

relates to data communications links in which asymmetric cryptographic techniques are used to 
establish a secure Imk usmg symmetric cryptography. 

A method of establishing a secure communications link between a terminal and a server, the method 
♦hriSlfr.^'-^*^"^ ^ message comprising a secret number and a digital signature for the secret number, 
1«H If ^'Snature being generated using a private key for the server, encrypting the message at the server 

!rif r !h ''"^ "^'"9 ^ P"^^'^ ''^y ^«"^^"9 said encrypted message from the 

server to the termmal, decrypting said encrypted message at the terminal using a private key for the terminal 
vahaatmg the message by checking the digital signature using a public key for the server; and establishing 
said secure communications link using said secret number, wherein the public and private keys for the 

TnZTjyjf"^^' S"^!!'' ^""^ ^''''^'^ ^^^^ asymmetric cryptographic technique. Corresponding 
software is also provided. The secret number may be obtained using the Diffie-Hellman protocol. 

Also disclosed IS a method of mutual key authentication involving the transmission of messages 
including a certificate containing the identity of the originator and their public key 

The method facilitates fast and if desired, anonymous, download of software to a mobile 
communications system terminal. 



CD 



2/3 




3/3 



\ 











o 



2384402 



DATA TRANSMISSION T.TNKS 

This invention generally relates to secure communications links for data tzansmission 
and more particularly relates to data communications links in which asymmetric 
cryptographic techniques are used to establish a secure link using synmietric 
cryptography. 

Data transmission is becoming increasingly important within mobile phone networks 
and, in particular, this is important to so-called 2.5G and 3G (Third Generation) 
networics as described, for example, in the standards produced by the Third Generation 
Partneiship Project (3GPP, 3GPP2), technical specifications for which can be found at 
www.3gpp>orp> and which are hereby incorporated by reference. 

Secure data transmission is important for m-commerce but, in addition to this, the 
secure download and installation of software onto mobile teraiiiials will also be 
important for multimedia entertainment, tellc-medicine, xqjgrades for programmable 
mobile terminals, upgrades to different wireless standards, and the like. Reconfiguzable 
mobile terminals are able to provide increased flexibility for end users who can 
customise the terminals for their personal needs by downloading and installing the 
desired applications, for example to support different types of radio systems and to 
allow the integration of different systems. However techniques are needed to protect 
mobile terminals against hackers maliciously substituting tiieir software for software 
available from a handset manufacturer, network operator or trusted third party source. 

Broadly speaking at present two basic cryptographic techniques, synmietric and 
asyirunetric, are employed, to provide secure data transmission for example for software 
download. Symmetric cryptography uses a common secret key for both encryption and 
decryption, along traditional lines. The data is protected by restricting access to this 
secret key and by key management techniques, for example, using a different key for 
each transmission or for a small group of data transmissions. A well-known example of 
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symmetric cryptography is the US Data Encryption Standard (DES) algorithm (FIPS- 
46, FIPS-47-1, FIPS-74, FIPS-81 of the US National Bureau Standards). A variant of 
this is triple DES (3 DES) in which three keys are used in succession to provide 
addidonal security. Other examples of symmetric cryptogrs^hic algorithms are RC4 
fiom RSA Data Security, Inc and the International Data Encryption Algorithm (IDEA). 

Asymmetric or so-called public key cryptography uses a pair of keys one **private*' and 
one "public" (although in practice distribution of the public key is also often restricted). 
A message encrypted with the public key can only be decrypted with the private key, 
and vice-versa. An mdividual can thus encrypt data using the private key for decryption 
by any one with the corresponding public key and, similarly, anyone with the public key 
can securely send data to the individual by encrypting it with the public key safe in the 
knowledge that only the private key can be used to decrypt the data. 

Asymmetric cryptographic systems are generally used within an infirastructure known as 
Public Key Infrastructure (PKI) >\iiich provides key management functions. 
Asymmetric cryptography can also be used to digitally sign messages by encrypting 
either the message or a message digest, using the private key. Providing the recipient 
has the original message they can compute the same digest and thus authenticate the 
signature by decrypting the message digest A message digest is derived from the 
original message and is generally shorter than the original message making it difficult to 
compute the original message from the digest; a so-called hash function may be used to 
generate a message digest 

A Public Key Infrastructure normally incliides provision for digital identity Certificates. 
To prevent an individual posing as somebody else an individual may prove his identity 
to a certification authority which then issues a certificate signed using the authority's 
private key and including the public key of the individual. The Certification 
Authority's public key is widely known and therefore trusted and since the certificate 
could only have been encrypted using the authority's private key, the public key of the 
individual is verified by the certificate. Within the context of a mobile phone network a 
user or the network operator can authenticate their identity by signing a message with 
their private key; likewise a public key can be used to verify an identity. Further details 



of PKJ for wireless applications can be found in WPKI, WAP-217-WPKI, version 24 - 
April 2001 available at www.wapfonim>org and in the X.509 specifications (PKDC) 
which can be found at www-ietf,org. all hereby incorporated by reference. 

In the context of 3G mobile phone systems standards for secure data transmission have 
yet to be determined and discussions are currently taking place in the MExE forum 
(Mobile Execution Environment Forum) at www.mex efnmm nrp Reference may also 
be made to ISO/EC 1 170-3, ^"Information Technology - Security Techniques - Key 
Management - Part 3: Mechanism Using Asymmetric Techniques", DIS 1996. 

Asymmetric cryptogr^hy was first publicly disclosed by Diffie and Hellman in 1976 
(W. DifBe and D.E. Hellman, '*New directions in cryptography", IEEE Transactions on 
Information Theory, 22 (1976), 644-654) and a number of asymmetric cryptographic 
techniques are now in the public domain of which the best known is the RS A (Rivest, 
Shamir and Adleman) algorithm (R.L, Rivest, A. Shamir and L.M. Adleman, **A 
method for obtaining digital signatures and public-key cryptosystems", 
Communications of the ACM, 21 (1978), 120-126). Other more recent algorithms 
including elliptic curve crypto systems (see, for example, X9.63, "Public key 
cryptography for the financial services industry: Key agreement and key transport using 
elliptic curve cryptography". Draft ANSI X9F1, October (1999)). The above- 
mentioned X.509 ITU (International Teleconunimications Union) standard is commonly 
used for public key certificates. In this a certificate comprising a unique identifier for a 
key issuer, together with the public key (and normally information about the algorithm 
and certification authority) is included a directory, that is a public repository of 
certificates for use by individuals and organisations. 

The main aims of a security system are authentication — of the data originator or 
recipient, access control, non-repudiation - proving the sending or reception of data, 
integrity of the transmitted data, and confidentiality. Preferably there should be 
provision for "anonymous" data download, that is the provision or broadcasting of data 
without specifically identifying a recipient 
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The symmetric and asymmetric cryptographic techniques outlined above each have 
advantages and disadvantages. Asymmetric approaches are less resource-efficient, 
requiring complex calculations and relatively longer key lengths than symmetric 
approaches to achieve a corresponding level of security. A symmetric approach, 
however, requires storage of secret keys within the tenninal and does not provide non- 
repudiation or anonymous software download. The present invention combines both 
these approaches, broadly speaking using public key techniques to transfer a secret 
session key. A symmetric session may then be established using this key, for example 
to download software securely. After software download this key may be stored in a 
repository in the mobile terminal for non-repudiation purposes or discarded once the 
software or other data download is complete. This technique supports a hierarchical 
infrastmcture for key management such as X.509 or WPKI, the ability to broadcast to 
multiple mobile terminals, the ability to anonymously download software to mobile 
terminals (adopting asymmetric techniques) and faster software download by mobile 
terminals after establishing a symmetric session (using symmetric techniques). 

According to one aspect of the invention there is therefore provided a method of 
establishing a secure communications link between a terminal and a server, the method 
comprising, assemblmg a message comprising a secret number and a digital signature 
for the secret number, the digital signature being generated using a private key for the 
server; encrypting the message at Ae server end of the communications link using a 
public key for the terminal; sending said encrypted message from the servCT to the 
terminal; decrypting said encrypted message at the terminal using a private key for the 
terminal; validating the mess^e by checking the digital signature using a public key for 
the server, and establishing said secure conununications link using said secret number, 
wherein the public and private keys for the tennmal and server are public and private 
keys of an asymmetric cryptographic technique. 

The secret number may either be sent alongside the digital signature or, where the 
signature is generated using an algorithm vs*ich allows message extraction, within the 
digital signatm-e itself. The identity of the sender or recipient may be included within 
the message vAth, optionally, a time stamp or random number or nonce (as described 
above with reference to other aspects of the invention). Again the technique may be 



employed where the establishment of the link is initiated by either the server or the 
terminal. 

Thus, in another aspect, the invention provides a method of establishing a secure 
communications link between a server and a temunal, the method comprising: 
assembling a message comprising a secret nxmiber and a digital signature for the secret 
number, the digital signature being generated using a private key for the terminal; 
encrypting the message at the terminal end of the communications link using a public 
key for the server, sending said encrypted message fiom the tenninal to the server; - 
decrypting said encrypted message at the server using a private key for the server; 
validating the message by checking the digital signature using a public key for the 
terminal; and establishing said secure communications link using said secret number; 
v^erein the public and private keys for the server and temunal are public and private 
keys of an asymmetric cryptographic technique. 

A still further aspect of the invention relates to a method of establishing a secure 
commimications link between a terminal and a server, the method comprising: 
performing, at the server-end of the commimic^ons link, a signing operation on a 
message comprising a secret number, using a private key for the server, to generate a 
digital signature, the message being recoverable from the digital signature; sending a 
message comprising the digital signature from the server to the terminal; extracting the 
secret number from the digital signature at the terminal and establishing said secure 
communications links using the secret number. 

This technique complements that described above but allows the anonymous 
downloading of software and other data and is therefore usable, for example, for 
broadcasting a session key. Preferably an identification certificate for the server is 
stored in the terminal and the message includes an identifier for the server although this 
is not essential because, for example, the terminal may be pre*programmed to trust 
software from only one or a predefined group of sources. 

hi a yet further aspect the invention provides a method of establishing a secure 
communications link between a mobile terminal and a server, of a mobile 
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conununications system, one of the tenninal and server being an originator and the 
other a recipient, the method comprising: sending a first message from the originator to 
the recipient, the iSrst mess^e comprising: an identity certificate for the originator, the 
certificate including a public key for the originator, a first data bloclc, and a signature of 
the originator generated by operating on the first data block, the first data block 
comprising at least an identifier for the originator and a secret number encrypted using a 
public key of the recipient; and authenticating the first message at the recipient using the 
origmator identifier. 

The originator identifier may be used, for example, to check the originator's signature. 
Again the technique may be employed where the establishment of the link is initiated by 
either the server or the tenninal. 

For convenience the method has been described as it s^plies to both ends of the 
communication link. However aspects of the invention provide separately only those 
steps of the method implemented at the server'-end and only those steps implemented at 
the terminal end of the link. 

In other aspects the invention provides computer program code to implement the 
method at the server-end of the link and computer program code to implement the 
method at the terminal-end of the link. This code is preferably stored on a carrier such 
as a hard or floppy disk, CD- or DVD-ROM or on a progranmied memory such as a 
read-only memory or Flash memory, or it may be provided on an optical or electrical 
signal carrier. The skilled person will appreciate that the invention may be implemented 
either purely on software or by a combination of software (or firmware) and hardware, 
or purely in hardware. Likewise the steps of the method as implemented at either end of 
the link need not be necessarily be performed within a single processing element but 
could be distributed amongst a plurality of such elements, for example on a network of 
processors. 

Embodiments of the above-described methods remove the necessity of installing a 
imique symmetric session key in the mobile temiinal at manufacture and provide the 
ability to broadcast to multiple terminals and to provide anonymous software download 



which is not otherwise achievable with symmetric techniques. The ability to 
anonymously download software and other data enables secure software and data 
download for each temiinal/client request, thus enabling the downloading of free 
software, tickets, coiq)ons and excerpts of a streamed media data such as music anH 
MPEG movie clips. The combination of symmetric and asymmetric techniques, and in 
particular the ability of the methods to operate within an X.509 or WPKI infrastructure, 
also facilitates m-commerce. Fmtfaemore the procedures are not entirely reliant on 
asymmetric techniques and allow, the faster symmetric algorithms also to be ^ployed. 

The skilled person will recognise that features and aspects of the above invention may 
be combined where greater security is required. 

The invention will now be further described, by way of example only, with reference to 
the accompanying figures in which: 

Figure 1 shows a generic structure for a 3G mobile phone system; 

Figure 2 shows a schematic representation of key managCTaent for a secmre 
conmiunicadons link between a mobile device of a mobile phone network and a server 
coupled to tte network; and 

Figure 3 shows a computer system for implementing a method according to an 
embodiment of the present invention. 

Figure 1 shows a generic stmcture of a third genoation digital mobile phone system at 
10. In Figure! a radio mast 12 is coupled to a base station 14 which in turn is 
controlled by a base station controller 16. A mobile commimications device 18 is 
shown in two-way conununicadon with base station 14 across a radio or air interface 
20, known as a Um interface in GSM (Global Systems for Mobile Conmiunications) 
networks and GPRS (General Packet Radio Service) networks and a Uu interface in 
CDMA2000 and W-CDMA networks. Typically at any one time a plurality of mobile 
devices 1 8 are attached to a given base station, which includes a plurality of radio 
transceivers to serve these devices. 
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Base station controller 16 is coupled, together with a plurality of other base station 
controllers (not shown) to a mobile switching centre (MSC) 22. A plurality of such 
MSCs are in turn coi^led to a gateway MSC (GMSC) 24 i^ch connects the mobile 
phone network to the public switched telephone network (PSTN) 26. A home location 
register (HLR) 28 and a visitor location register (VLR) 30 manage call routing and 
roaming and other systems (not shown) manage authentication, billing. An operation 
and maintenance centre (OMC) 29 collects the statistics from network infiastmcture 
elements such as base stations and switches to provide network operators with a high 
level view of the networic's performance. The OMC can be used, for example, to 
determine how much of the available capacity of the network or parts of the network is 
being used at different times of day. 

The above described network infrastructure essentially manages circuit switched voice 
connections between a mobile communications device 18 and other mobile devices 
and/or PSTN 26. So-called 2.5G networks such as GPRS, and 3G networics, add packet 
data services to the circuit switched voice services. In broad terms a packet control unit 
(PCU) 32 is added to the base station controller 16 and this is connected to a packet data 
network such as Internet 38 by means of a hierarchical series of switches. In a GSM- 
based network these comprise a serving GPRS support node (SGSN) 34 and a gateway 
GPRS support node (GGSM) 36. It will be appreciated that both in the system of 
Figure 1 and in the system described later the functionalities of elements within the 
network may reside on a single physical node or on separate physical nodes of the 
system. 

Commimications between the mobile device 1 8 and the network infrastructure generally 
include both data and control signals. The data may comprise digitally encoded voice 
data or a data modem may be employed to transparently conmiunicate data to and from 
the mobile device. In a GSM-type network text and other low-bandwidth data may also 
be sent using the GSM Short Message Service (SMS). 

In a 2.5G or 3G networic mobile device 1 8 may provide more than a simple voice 
cormection to another phone. For example mobile device 18 may additionally or 



alternatively provide access to video and/or mviltimedia data services, web browsing, e- 
mail and other data services. Logically mobile device 18 may be considered to 
comprise a mobile terminal (incorporating a subscriber identity module (SIM) card) 
with a serial connection to terminal equipment such as a data processor or personal 
computer. Generally once the mobile device has attached to the network it is *'always 
on" and user data can be transferred transparentiy between the device and an external 
data network, for example by means of standard AT commands at the mobile temunal-* 
temiinal equipment interface. Where a conventional mobile phone is employed for 
mobile device 18a terminal adapter, such as a GSM data card, may be needed. 

Figure 2 schematically illustrates a model 200 of a system employing a method 
according to an embodiment of the present invention. A mobile device 202 is coupled 
to a mobile communications network 208 via a radio tower 206. The mobile 
communications network 208 is in tum coupled to a computer network 210, such as the 
Intemet, to which is attached a server 204. One or both of the mobile device 202 and 
server 204 stores a digital certificate, the digital certificate 212 stored in mobile device 
202 including a public key for server 204 and the digital certificate 214 stored in server 
204 including a public key for the mobile device 202. (Other embodiments of the 
invention dispense with one or both these digital certificates). 

A PKI session key transport mechanism 216 is provided to transport a session key 
between the mobile device 202 and the server 204, the PKI transport mechanism 
employing asymmetric cryptographic techniques using information fiom one or both of 
the digital certificates. The session key transported by the PKI mechanism is a secret 
session key for use with a symmetric cryptographic procedure and, because of the PKI 
transport, there is no need to store and manage pre-installed unique secret session keys 
on the server or mobile device. 

The PKI transport mechanism 216 may comprise a unilateral transport mechanism firom 
the server to the mobile device or vice- versa or may provide a mutual exchange 
mechanism for obtaining a shared session key. The server may be operated by a 
network operator, mobile device manufacturer, or a trusted or untrusted third party; 
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where the server is operated by an untrusted third party, the digital certificates may be 
dispensed with. 

The mobile device is typically controlled by a user of the mobile commmiications 
network. For simplicity only a single mobile device is shown although, in general, a 
session key may be multicast to a plurality of such devices, or even broadcast 

Figure 3 shows a general purpose computer system 300 for implementing methods, as 
described below, according to embodiments of the invention. Depending upon whether 
the computer system is at the server end or the mobile user end of the link the computer 
system may comprise part of the server 204 of Figure 2 or part of the mobile device 202 
of Figure 2. Where the computer system comprises part of the mobile device it miay be 
implemented within the device itself or on a separate computer system attached to the 
device or in some other manner, for example on a SIM card or similar module. 

The computer system comprises an address and databus 302 to ^^iiich is coupled a 
keyboard 308, display 3 10 and an audio inter&ce 306 in the case of a mobile phone or a 
pointing device 306 in the case of a server (unless the implementation is on a SIM card) 
in which case the phone provides these functions. Also coupled to bus 302 is a 
communications interface 304 such as a network interfstce (for a server), a radio 
interface (for a phone) or a contact pad interface (for a SIM card). Further coiq)led to 
bus 302 are a processor 312, working memory 314, non-volatile data memory 316, and 
non-volatile progranmie memory 318, the non-volatile memory typically comprising 
Flash memory. 

The non-volatile programme memory 318 stores network conununicatioiis code for the 
phone/server's SIM card operating system and symmetric and asymmetric cryptography 
code. Processor 312 implements this code to provide corresponding symmetric and 
asymmetric cryptography processes and a network commxmications process. The non- 
volatile data memory 3 16 stores a public key, preferably within a digital certificate, the 
server storing a public key for one or more mobile users, the mobile device storing 
public keys for one or more server operators. The non- volatile data memory also stores 
a symmetric session key, once this has been established, software (either for download 
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fiom the server or software ^^ch is being downloaded onto the mobile device/SIM 
card) and preferably licence data for the software and, in some instances, one or more 
installation tickets for controlUng use of downloaded software. The software may 
comprise data such as video or MP3 data or code. 

Generally it is desirable that software or data is obtained by a mobile tenxiinal from 
trustworthy entities or trusted providers such as manufacturers, operators, and service 
providers that can be relied iq)on to make eoxrect statements about the validity of 
software modules. The information that, a trusted entity considers a specific core 
software module to be valid should preferably be made available to the terminal in a 
secure way. 

In a symmetric approach a so-called ticket server issues installation tickets only for 
valid software modules. It is controlled and operated by a trusted provider. By issuing 
an installation ticket, the ticket-server represents ttiat the software module which the 
ticket is referring to is valid. The installation ticket contains a cryptographicaIly*strong^ 
collision-resistant (hard to guess) one-way hash value of the software module which the 
terminal uses to check the integrity ofthe downloaded software module. A Message - 
Authentication Code (MAC) (for example a keyed hash ftmction see, for example. 
Computer data authentication. National Bureau of Standards FIPS Publication 113, 
1985) is used to protect the installation ticket This MAC is computed using a secret key 
shared by the terminal and the ticket server. By checking a ticket's MAC, the terminal 
verifies that a trusted provider has issued the ticket and that the ticket has not been 
modified Then it checks the integrity of the received software module by comparing the 
hash values of the received software module and the one contained in the installation 
ticket. However, this technique does not guarantee non-repudiation in the event of any 
dispute between the trusted provider and the terminal users, since both shares the secret 
key so anyone who has the secret key could generate the MAC of a ticket. 

An asymmetric signed license approach makes use of public-key cryptography* 
Similarly to the ticket-based approach, a license contains the information necessary to 
authenticate the integrity of a software module. A signed license can be a newly defined 
format, or it can be in previously defined format, such as an X.S09 certificate, or a 
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WTLS (Wireless Transport Layer Security) certificate, A license should preferably at 
least contain the cryptographic hash of the software module and other pertinent 
information, such as validity dates, the issuer identity, and the recipient identity can also 
be included. The license is signed by a license server, which is controlled and operated 
by a trusted provider. 

The license server issues licenses only for valid software modules, so by issuing a 
license for a piece of software, the license server in effect states that this software 
module is valid. Since a public-key signature scheme is used, every entity that has 
access to the public-key of the license server can check the signature of a license. Thus, 
this approach provides non-repudiation if there is any dispute between mobile tenninal 
users and the service provider that will protect the both parties. In other words, only the 
license server can generate a valid signature for a license since only the license server 
knows the correspondir^ private key to sign the license. 

Temiinals can obtain an mstallation ticket or a signed license in different ways. They 
can wait until a software module is received and then directly ask for the ticket or 
license from the server. Alternatively, a ticket or license may be obtained indirectly 
through a dowxiload server or reconfiguration manager node. In the indirect approach, 
fte software is btmdled with the ticket or license and the entire package is sent to the 
terminal. 

The symmetric and asymmetric approaches differ in the requirements they put on the • 
tenninal capabilities and on the amoimt of security data. The signed license approach 
requires that the terminal perform asymmetric cryptographic operations, which, in 
general, are more costly in terms of processing power and memory, which are in short 
supply on a terminal than symmetric cryptographic operations. The ticket-server 
approach requires only secret-key cryptography, vAdch^ in general, requires less 
processing. However, m the symmetric approach, communication with an onliae ticket 
server is always necessary, whereas with the asymmetric approach, it is not necessary 
for the license server to always be online. 
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In both cases, the tenninal needs to compute the collision-resistant one-way hash value 
of the loaded software module. In the symmetric approach a ticket's validity is 
confirmed using a MAC, and in the asymmetric approach, a liege's validity is 
confirmed by checking a digital signature. A digital signature typically requires more 
data, so the number of bits in a license will generally be more than in a ticket 

The main objective of both these approaches is to protect terminals against malicious 
downloaded software. They do not protect against attacks that involve physical 
modifications of the terminal, such as the replacement of program memory, nor are they 
are intended to limit the distribution and use of software or to protect a software module 
against reverse-engineering. The security of the synunetric qjproach, however, requires 
that the tenninal maintain the secrecy of the cryptographic key that it shares with fte 
ticket server, whereas the asymmetric approach relies on a public-key, i.e. the level of 
secrecy required to protect the synunetric key is necessary for protecting the pubKc key. 

In Ais described embodiment to integrate the synunetric and asymmetric approadies it 
is assumed that PKI (PubUc Key Inftastnicture) is employed and trusted parties such as 
manufecturers and operators issue their certificates to mobile terminals which store 
than in secure tamper Tesistance modules such as smart or other cards ( for example, a 
SIM: Subscriber Identity Module, WIM: Wireless Identity Module, SWIM: Combined 
SIM and WIM, USIM: Universal Subscriber Identity Module). 

PKI provides non-repudiation and protects bofh parties; the symmetric session key 
provides a low overhead and fiist download once it has been transported (using the 
certified pubUc key) fiom trusted parties such as manufecturers, operators, etc. This 
session key may be valid for only a short period for increased security. 

This ^roach provides a unique secret session key so there is no need to instaU such a 
key, and no need for permanent secure storage of a key in the mobile terminal which 
otherwise can limit the key management between the trusted service providers and the 
terminals and the ability to broadcast to multiple mobile terminals and provide 
anonymous software dovmload. The anonymous software download techniques for the 
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mobile terminal which will be described enable secure software download for each 
terminal/client request such as downloading free software, tickets, coupons and the like. 

Firstly software download techniques initiated by the operator/server will be described. 
The originator ^4 in this example the trusted software provider, (i.e. the terminal 
manufecturer, network operator, or the like is assumed to possess a priori an authentic 
copy of the encryption public key of the intended recipient B, the mobile tenninal, and 
the tenninal is assumed to have a copy of the server's (public) encrypting key. 

One technique for establishii^ a shared secret session key is then as follows: 

Ml: A -*B: PsmB\\TjSM Bm\LC)) Equation 1 

where Ml: A -*B. denotes that>l sends Ml to B, and where * is a secret session key, B 
is an optional identifier for B (the intended recipient), is an optional time stamp that 
is generated by ^, LC is an optional distal licence, for example a software licence and 
1 1 denotes concatenation of data. Utilisii^ a time stamp hinders replay attacks, but in 
other embodiments a (preferably random) number may be used in addition to, or in 
place of, the time stamp, TH, for example generated from a clock. This may be used as 
a seed for a detenninistic pseudo - random number generator so tiiat bofli A & B can 
then generate synchronised series of pseudo-random numbers for use as sesaon keys. 
Such a number (in the message) may be a nonce - a number used only once. Pg (Y) 
denotes public key encryption such as RSA, (R.L. Rivest, A. Shamir and L.M. 
Adleman, "A method for obtaining digital signatures and public-key cryptosystems". 
Communications of the ACM, 21 (1978), 120-126). ECC, (N. KobUtz, "Elliptic curve 
cryptosystems". Mathematics of Computation, 48 (1987), 203-209) ElGamal, (T. 
ElGamal, "A public key cryptosystem and a signature scheme based on discrete 
logaritimis", IEEE Transactions on Information Theory, 31 (1985), 469-472) of data Y 
using party B's public key and 5^ (Y) denotes a signature operation on fusing ^'s 
private signature key. 



Alternatively, a signature operation which allows recovery of the signed message can be 
used, such as the RS A signature with message recovery algorithm (ISO/IEC 9796, 
"Information technology — Security techniques - Digital signature scheme giving 
message recovery". International Organization for Standardization, Geneva, 
Switzerland, 1991) can be used as follows: 



where ^ is a secret session key, B is an optional identifier for B (the intended recipirat), 

is an optional time stamp that is generated by A, and LC is an optional digital 
licence, for example a software licence. 

In use, once the terminal obtains a signed session key, for example with a license, the 
terminal waits for a software module to arrive and, after receiving the software, the 
terminal is able (i.e. permitted) to execute the software with the session key. 
Alternatively, an entire software package can be sent to terminal together with a signed 
session key and license. 

A related technique employing an anonymous RS A signature with message recovery 
can be used for downloading free software and coupons. This can be useful for trusted 
service providers wishing to broadcast trial versions of software and short clips of music 
and movies. In such cases it is desirable for anyone to be able intercept messages to 
obtain a session key. This key may be valid for only a short period for example 30 
minutes for a film trailer reducing the need for authentication although it is desirable to 
provide for identification of the session key issuer, preferably an identification which 
can be easily verified. Thus the session key may be digitally signed by the 
manufiumirer/operator or the service provider. One embodiment of this technique is 
therefore as follows: 



Ml: A ^B: P,(S^(k\\ B\\TJ\LC)) 



Equation 2 



MJ:A^B:S^(k\\B\\T^\\LC) 



Equation 3 
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where A: is a secret session key, is an optional identifier for B (the intended recipient), 

is an optional time stamp that is generated by A, and LC is an optional digital 
licence, for example a software licence. 

In this embodiment an RS A signature operation with message recovery scheme is used 
(for example, ISO/IEC 9796:1991). Since the message is signed by A there is no need 
to include an identifier for A; including an idmtifier for the recipient allows the 
recipient to confirm they are the intended recipient The terminals receiving Ml each 
have an appropriate certificate for A, the originator/operator to allow the message to be 
extracted fix)m Sa, for example, stored on SIM. This can also be used for broadcasting 
a session key to allow firee software download, and enables terminals to download 
software anonymously. 

In a variant of this technique, the key k is replaced by a DifiBe-Helhnan public valxie g" 
mod p (see, for example, W.Difi5e and D.E. Hellman, ibid)^ where n is a positive integer 
satisfying 1 < n < p - 2. An alternative to Ml is then as follows: 

M1:A -»jB; S^(g"modp\\B\\TJLC) ' Equation4 

where ^ is a secret session key, J? is an optional identifier for B (the intended recipient), 

is an optional time stamp that is generated by A, and LC is an optional digital 
licence, for example a software licmce. 

The mobile terminal B or the client can obtain the server's public value 7^ = g'' mod p 
that is contained in the SCTver key exchange or the SIM may contain the server's public 
value. The originator (in this example, the server A) chooses a random value 
computes g"" mod p and sends Ml including g" mod p to the terminal. The server A can 
then compute a session key k-Y^ = {g^Y = g"" mod p and the tenninal B can 
compute the same session key using k = {g^Y = g~ mod p. 
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Encrypted software may then be sent to the terminal B by encrypting the software with 
the common session key. An eavesdropper does not know the private key of server (that 
is a) and thus, it is computationally infeasible to determine the session key. This method 
can be used for distributing system software to mobile equipment for anonymous secure 
software download, for example for broadcasting a SIM update, because an individual 
recipioit need not be specified. 

In the above four scenarios, upon decryptiog Ml, recipient B will use a session key to 
download software ftom the originator/operator^. After software download, B may put 
the session key in the repository or may discard the session key which depends on the 
key management between the trusted service providers and the terminals. 

In the above scenarios, upon decrypting Ml, the recipient J? can use the session key to 
download software fi^om the originator/operator A. After the software download, B may 
put the session key in the repository or may discard the key, which is chosen depending 
on, among other things, the key managemCTit between the trusted service providers and - 
the terminals. For an operating system upgrade a non-anonymous, rather than an 
anonymous technique is preferred as it is usefiil to know to whom the upgrade has been 
sent 

Next software dovmload techniques initiated by the mobile terminal will be described; 
these are close to mirror images of the above server-initiated techniques. We vsdll 
describe a secure software download and anonymous software download techniques 
based on asymmetric techniques such as RS A and DifSe-Hellman, for initiating key 
changes from the mobile terminal. These techniques can be used for establishing a 
syrrmietric session key for secure implementation of each individual request for a data 
item or group of items, such as software, tickets, coupons, and the like. 

In the technique signed bocks are encrypted by combining a digital signature and public 
key encryption as follows: 



Ml: B ^A: {k\\ A\\T, \\ S, (k \\ A \\ T, ||ZQ) 



Equation S 
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where k is a secret session key, A is an optional identifier for A (the intended recipient), 
Tb is an optional time stamp generated by B, and LC is an optional digital licence, for 
example a software licence. 

The terminal, 5, generates a session key and signs a combination of the session key, ^'s 
identity and a time stamp. This session key, signature and, optionally tiie time stamp 
and A's identifier, are encrypted with the server's certified public key extracted, for 
example, firom a prior server key exchange mess^e. Software, such as video clips and 
music, is sent from the server A to the client B usmg the session key. Since an 
eavesdropper does not know the server's private key, it is computationally infeasible for 
him/her to compromise the session key *, particularly since this may be only valid for 
one session or a limited period. 

As iweviously described an anonymous crytographic technique such as anonymous RSA 
can also be described, as follows: 

M1:B -^A: P^mi^WTsWLC) Equation 6 

where k is a secret session key, A is an optional identifier for A (the intended recipient), 
Tb is an optional tune stamp generated by B, and LC is an optional digital licence, for 
example a software licence. 

The terminal, B generates a session key K and encrypts it with the server's certified 
public key (extracted from a server key exchange message). The software may then be 
sent to the client B using the session key K. Since an eavesdropper does not know the 
server's private key, it is computationally infeasible for the one time session key * to be 
compromised. 

Alternatively, an anonymous Diffie-Helhnan cryptographic technique can be employed 
as follows (a mobile-initiated technique is described; the server-mitiated technique 
corresponds): 
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First an appropriate prime p and generator g of Z], are selected and published, and, for 
example, stored on the terminal SIM. Here Z* is the multiplicative group 1,2,3,... p-1 
and (2 < g < /? - 2) . One way to generate an appropriate p and g is described in RFC 
(Request For Comments) 263 1 . 

Ml: B -¥A: g* mod p Equation 7 

The mobile terminal B or client can obtain the server's public value = mod p 
^ere is the private key of the server, for example from a server key exchange. 
Preferably, however the server's public value is stored in the SIM. The tenninal chooses 
a random value 6, computes mod p and sends Ml g^ mod p (encrypted) to the 
server. Both a and b are positive integers satisfying 1 ^ a < p-2 and 1 ^ b < p-2. The 
mobile tenninal B can compute a key for a symmetric session 
k = mod p - {g" mod p)^ mod p-g°^ mod p and the server^ can compute the 
same session key k = (g* mod pY mod p = g^ mod /?. Encrypted data or software may 
then be sent to the temunal B by encrypting it with a session key or the session key may 
be used by both the terminal and server to generate another common key, for example 
by operating on data known to both with AT. An eavesdropper does not know the private 
key of server (a) and it is thus computationally infeasible to detemune the session key. 
Anonymous RSA and DifBe-Hellman can be used, for example for downloading free 
software, tickets and coupons. 

Anonymous software download techniques generally only provide protection against 
passive eavesdroppers. An active eavesdropper or active man*in-the-middle attack may 
replace the finished message with their own during the handshaking process for creating 
sessions. In order to avoid this attack server authentication is desired. 

Analogously to the anonymous RSA signature technique with message recovery 
desoibed above with reference to Equation 4, the Diffie-Hellman value mod p may 
be encrypted using the originator's (that is, in this example, B 's) private key. More 
specifically it may be protected by sending the DifiBe-Hellman value as a digital 
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signature from which the signed message is recoverable. The recipient may then 
recover mod p using the originator's public key, more specifically by extracting the 
message from the signature. 

Under certain circumstances, the DifGe-Hellman and (DH) the related Elliptic Curve 
DifBe-Hellman (ECDH) key agreement schemes PC9.63, "Public key cryptography fiar 
the financial services industry: Key agreement and key transport using elliptic curve 
cryptography". Draft ANSI X9F1, October (1999)) are susceptible to a class of attadcs 
knovm as '^small-subgroiq)'* attacks. Where, if a key belongs to a small subgroup a 
directed brute-force attack based on guessing keys from the subgroup may succeed. In 
the anonymous DH and ECDH cases there is a risk that such a small subgroup attack 
will lead conununicating parties to share a session key which is known to an attacker. 
This threat can be alleviated by using a piedetennined group determined "^good" or 
''strong'^ values of g and p and checking that received public keys do not lie in a small 
subgroup of the group, or by not re-using ordinary DH key pairs. Background 
information on protection against these attack, can be found in the draft ANSI standards 
X.9.42 (X.9.42, "Agreement of symmetric keys usii^ Diffie-Hellman and MQV 
algorithms", ANSI draft. May (1999)) and. X.9,63 (X9.63, "Public key cryptography for 
the financial services industry: Key agreement and key transport using elliptic curve 
cryptogrqshy". Draft ANSI X9F1, October (1999)), 

Mutual key authentication protocols will now be described. In these both>4 and E are 
authenticated by exchanging messages having information or a property characteristic 
of A and jS, in the protocols below messages encrypted using the public keys of A and B, 

In a first mutual authentication process A, B possess each other's authentic public key 
or, each party has a certificate carrying its own public key, and one additional message 
is sent by each party for certificate transport to the other party. Background information 
on this protocol can be found in Needham and Schroeder (R.M. Needham and M.D. 
Schroeder, "Using encryption for authentication in large networks of computers'*. 
Communications of the ACM, 21 (1978), 993-999). 



The messages sent are as follows: 
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M1:A->B: Ps(k,\\A\\TJ 
M2:A<^B: PJK\\k^) 
M3:A-^B: Pj,(k^) 



Equation 8 



Equation 9 



Equation 10 



The steps of the procedure are as follows: 

1. The originator operator (or server) A sends M/, including a first key ki, to B. 

2. The receiver user (terminal) B recovers i, upon receiving Ml, and returns A/2, 
including a second key k2, to A, 

3. Upon decrypting M2, A checks that the key recovered from M2 agrees with 
that sent in ML A then sends B M3, 

4. Upon decrypting M3, B checks the key recovered from M3 agrees with that 
sent in M2. The session key may be computed asf(k^\\ k^) using an appropriate 
publicly known non-reversible function / such as MD5 (Message Digest 5, as 
defined in RFC 1321) and SHA-1 (secure Hash Algorithm-1, see, for example, x 
US National Bureau of Standards Federal Information Processing Standards 
(FIPS) Publication 180-1. 3 

5: B then starts downloading software by using the symmetric session key 

f(k^\\ k^)^ After software download, B may discard the session key or keep it for 
a short period, depending on the key management strategy. 

A second X509 mutual authentication process operates in the context of the X.509 
strong two-way authentication procedure (ISO/EEC 9594-8, "Information technology — 
Open systems interconnection - The directory: Authentication framework", 
Intemational Organisation for Standardization, (jeneva, Switzerland 1995) is described 
as follows: 



LetZ)^ = (rj| R^\\B\\ PM)\D,-{T,\\ R,\\A\\ P^k,)). Equation 11 



Where A and B comprise identifiers for Ae server and temiinal respectively. 



ML A^B: Cert^W DJ| SJDJ 
M2:A^B: Cert^W /)^|| S^fD^) 
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Eqmtion 12 
Equation 13 



Where the CertA and Carte ^ public certificates for A & B respectively. The steps of 

the procedure are as follows: 

L A obtains a timestamp indicating an expiry time, then generates a random 
number/?^ , obtains a symmetric key , encrypts Ki, using Pa and sends a 
message Ml to B. (Since the message is signed by A there is no need to include 
an identifier for A; including an identifier for the recipient in Da allows the 
recipient to confirm they are the intended recipient). 
2 B verifies the authenticity of Cert^ , extracts ^'s signature public key, and 
verifies A signature on the data block . B then checks that the identifier in 
Ml specifies itself as intended recipi^t and that the timestamp is valid, and 
checks that has not been replayed. 

3. If all checks succeed, B declares the authentication of A successfiil, decrypts 
using its a session key, and saves this now shared key for downloading software 
securely. (This terminates the protocol if only unilateral authentication is 
desired). B then obtains a timestamp 7^, generates random nimiber , and 
sends A a message M2. 

4. Similarly A carries out actions analogous to those carried out by B. If all checks 
succeed, A declares the authentication of B successfiil, and key k^ is available 
for subsequent use. A and B share mutual secrets k^ and ^2 so the session key 
may be computed BsfCk^Wkj) vMch may then be used for downloading 
software securely (here ^software** is used in a general sense to mean soil data). 

An authenticated DifBe-Hellman session key exchange can be achieved by using public 
key encryption as follows: 

The originator i4 (that is the trusted software provider, terminal manufacturer, operator 
or the like) and a mobile terminal B possess an authentic copy of the encryption public 
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key of A and 5 this may be, for example, locally stored or the public keys may be 
exchanged between the parties, for example, as digital certificates. As with anonymous 
DiflBe-Hellman described above an appropriate prime p and generator g of 
Z\(2<g<p-2)are selected and published and, preferably, stored locally in the 
terminal messages are then exchanged as follows: 

Ml: A -^B: P^ig'modpW A \\ TJ Equation 14 

M2:A^B: P^g' modp || B || || T^) Equation 15 

MS: A -^B: S^iE^(soJiware\\ LQ) Equation 16 

Where ^ & and 5 and Pb comprise identifiers and pubUc keys of the originator and 
teraiinal respectively and Ta and Tb are time stamps for messages from A & B 
respectively (A, B, Ta and Tb are optional) k denotes an encryption operation performed 
using key L 

A chooses a random value a, computes g*' mod p and sends Ml to B (there is no need 
to store ^ mod p in the terminal and because this value is encrypted it is safe ficom 
main-in-the-middle attacks). The mobile terminal B decrypts the received message 
using its private key and chooses a random value fr, computes g^ mod /; and sends Af? 
( g* modp) to A \rfiich decrypts the message using its private key. Both a and b are 
positive integers satisfying 1 ^ a < p-2 and 1 < b < p-2. The terminal B then computes a 
sessionkey * = (g^ mod/?)* modp^g*** modjr, the originator^ can also compute the 
session key using k^{g^ mod pY mod p^g^moAp. >1 then signs the encrypted 
software and LC preferably using the shared session key * and sends it to 5; here LC is 
a software licence, optionally specifying a validity period of the session key K giving 
copyright details and the like. An eavesdropper does not know the private keys of ^ and 
B and commitment values a and h. and thus, it is computationally infeasible to 
determine the session key and the threat firom man in the middle attacks is alleviated. 
The encrypted identifiers A and B provide a guarantee of the sender's identity for the 
messages, thus preferably Ml includes A although there is less need for M2 to include 
B. Similarly only B knows Ta so including this in M2 (whether or not Tb is also 
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included) allows A to imply that the message was correctly received by B. Including Tb 
permits a time window Tb - to be defined; this is preferably shorter than any Ukely 
decrypt time, for example less than one hour. Here, preferably Ta defines a sending 
time for Ml and Tb a receive time (at B) for ML 

In variants of the method alternatives to M3 are as follows: 

i) M3:A-^B Ek (software \\LC) 

ii) M3:A-^B Ek (software \\LC) Sa (Ek (software \]JLC)) 
Hi) M3:A^B Ek (software) Sa (LC) 

These alternatives can provide faster encryptioiL In (ii) a signature operation without 
operation messs^e recov^y can be used; in (iii) only the licence is signed, preferably 
with message recovery, imless the licence is within the software (optionally in (iii) an 
encrypted version of the licence £a(LC) may be signed). 

Timestamps may be used to provide fieshness and (message) and can provide a time 
window for uniqueness guarantees, message reply. This helps provide security against 
known-key attacks is required, vulnerable to replay attacks of the unilateral key 
authentication protocols. The security of timestamp-based techniques relies on use of a. . 
common time reference. This in turn requires that synchronised host clocks be available 
and clock drift and must be acceptable givOT the acceptable time window used* In 
practice synchronisation to better than 1 minute is preferred although synchronisation to 
better than 1 hour may be acceptable with longer time windows. Synchronisation can 
be achieved by, for example, setting an internal clc>ck for the terminal on manufacture. 

Where the terminal possesses an authentic certificate for A, the origmator or operator, 
(either locally stored or received in a message) then the above unilateral key 
authentication techniques provide secure software download. For mutual authentication 
protocols where both A and B possess authentic certificates or public keys there are no 
known attacks which will succeed, apart fix)m bmte force attacks to recover the private 
keys of ^ and B, However in an X.509 - context procedure, because there is no 
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inclusion of an identifier such as A within the scope of the encryption Pg withinD^ , 
one cannot guarantee that the signing party actually knows the plaintext key. That is,, 
because the identity is not encrypted the message could be signed by someone vAio had 
not encrypted the key. 

The uses of public key technology to transport a symmetric session key for secure 
software download has been described. This combines the advantages of both the 
asymmetric and synunetric approaches. PKI provides with non-repudiation and protects 
both parties if there is a dispute, but PKI is computationally intensive and would be 
inefiScient for secure software download on its own. A symmetric session key provides 
a means to enable efficient and fast download once the key has been transported using a 
certified public key issued by trusted parties. The lifetime of the session key can be 
short (for example for a smgle data transfer) or long (for example, months) depending 
on the security requirements and likelihood of the key being compromised 

The described techniques are also suitable for the MExE standard for future 
programmable mobile user equipment Moreover, the anonymous software download 
techniques enable secure software download for each tcmiinal/client request for 
downloading firee software, tickets, coupons, as well as for secure M-Commerce, 

Embodiments of the invention have been described in the context of a server and mobile 
. terminal of a mobile communications system but aspect of the invention also have other 
applications, for example in networked computer systems. It will also be recognised, in 
general, either the terminal or the server may comprise the initial message originator in 
the above protocols although for conciseness the specific exemplary embodiments are 
described with reference to one or other of these as the orginator. The invention is not 
limited to the described embodiments but encompasses modifications apparent to those 
skilled in the art within the spirit and scope of the claims. 
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CLAIMS: 

1 . A method of establishing a secure communications Unk between a tenninal and 
a server, the method comprising: 

assembling a message comprising a secret number and a digital signature for the 
secret number, the digital signature being generated using a private key for the server; 

encrypting the message at the server end of the conununications link using a 
public k^ for the tenninal; 

sending said encrypted message from the server to the tenninal; 

decrypting said encrypted message at the terminal using a private key for Ae 
terminal; 

validating the mess^e by checking the digital signature using a public key for 
the server, and 

establishing said secure communications link using said secret number; 
wherein the public and private keys for the tenninal and server are public and 
private keys of an asymmetric cryptographic technique. 

2. A method as claimed in claim 1 wherein said message further comprises an 
identifier for the tenninal and said digital signature is generated by performing a signing 
operation on both said secret number and said terminal identifier. 

3. A method as claimed in claim 1 or 2 wherein the secret number is valid for a 
time period and wherein the message further comprises a time stamp, the method further 
comprising checking the validity of said secret number using the time stamp and 
establishing said secure conununication link dependent upon the result of said checking. 

4. A method according to claim 1 , 2 or 3 wherein the digital signature is generated 
by a signing operation which permits a message on which the signing operation is 
performed to be recovered from the digital signature, and wherein the secret number in 
the message is contained within said digital signature. 
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5. A method according to claim 1, 2 or 3 wherein said digital signature is generated 
using a digest of said secret number. 

6. A method as claimed in any one of claims 1 to S wherein the terminal and server 
comprise, respectively, a mobile terminal and server of a digital mobile communications 
system. 

7. A method as claimed in claim 6 further comprising: 

retrieving a public key for Hie server from the storage in the mobile temndnal for 
checking.said digital signature. 

8. A method of establishing a secure communications link between a server and a 
temunal, the method comprising: 

assmbling a message comprising a secret number and a digital signature for the 
secret number, the digital signature being generated using a private key for the terminal; 

encrypting the message at the temiinal end of the commumcations link using a 
public key for the server; 

sending said encrypted message from the terminal to the server; 

decrypting said encrypted message at the server using a private key for the 

server; 

validating the message by checking the digital signature using a public key for 
the terminal; and 

establishing said secure communications link using said secret number; 
v^erein the public and private keys for the server and terminal are public and 
private keys of an asymmetric cryptographic technique. 

9. A method of establishing a secure commwiications link between a terminal and 
a server, the method comprising: 

performing, at the server-end of the communications link, a signing operation on 
a message comprising a secret number, using a private key for the server, to generate a 
digital signature, the message being recoverable from the digital signature; 

sending a message comprising the digital signature from the server to the 
terminal; 
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extracting the secret number from the digital signature at the terminal and 
establishing said secure communications links using the secret number. 

10. A method as claimed in claim 9 wherein the secret number comprises a Diffie- 
Hellman value g" mod v/here p is a prime number and g is a generator for a Diffie- 
HeUman key exchange protocol and n is a positive integer less than p-L 

11. A method as claimed in claim 9 or 10 wiierein the message further comprises an 
identiiSer for the server, the method further comprisiag: 

retrieving from ston^e in the terminal an identification certificate for the server 
including at least a public key for the sorver, and 

using the server public key to extract said secret number. 

12. A method as claimed in claim 9, 10 or 1 1 \)^4ierein the secret number is valid for 
a time period and wherein the message fiulher comprises a tune stanq), the method 
fiirther comprising checking the validity of said secret number using the time stamp and 
establishing said secure coimnunications link dependent upon the result of said 
checking. 

13. A method of establishing a secure communications link between a server and a 
terminal, the method comprising: 

performing, at the terminal-end of the conmiunications link, a signing operation 
on a message comprising a secret number using a private key for the terminal to 
generate a digital signature, the message bemg recoverable fiom the digital signature; 

sending a message comprising the digital signature from the terminal to the 

server; 

extracting the secret number from the digital signature at the server and 
establishing said secure conmiunications links using the secret number. 

14. A method as claimed in claim 13 vy^erein the secret number comprises a DifiBe- 
Helhnan value g° mod where p is a prime number and g is a generator for a DifBe- 
Helhnan key exchange protocol and n is a positive integer less than p-1. 
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15. A method of establishing a secure communications link between a mobile 
terminal and a server, of a mobile communications system, one of the terminal and 
server being an originator and the other a recipient, the method comprising: 

sending a first message fiom the originator to the recipient, the first message 
comprising: 

an identity certificate for the originator, the certificate including a public key for 
the originator, 

a first data block, and 

a signature of the originator generated by operating on the first data block, 
the first data block comprising at least an identifier for the originator and a sea«t 
nimiber encrypted using a public key of the recipient; and 

authenticating the first message at the recipient using the originator identifier. 

16. A method as claimed in claim IS fiirther comprising: 

sending a second message firom the recipient to the originator, the second 
message comprising: 

an identity certificate for the recipient, the certificate including a public key for 
the recipient, 

a second data block; and 

a signature of the recipient generated by operating on the second data block, 
the second data block comprising at least an identifier for the recipient and a 
secret number encrypted using a public key of the sender; and 

authenticating the second message at the originator using the recipient identifier. 

1 7. A data transmission link configured to implement the method of any one of 
claims 1 to 16. 

18. A carrier carrying computer program code for a terminal to implement the part 
of the method of any one of claims 1 to 16 performed at the terajinal end of the 
communications link. 



19. A tenninal including the carrier of claim 1 8. 
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20. A carrier carrying conqmter program code for a server to implement the part of 
the method of any one of claims 1 to 16 performed at the server end of the 
commuziications link. 



A server including the carrier of claim 20. 
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